1. Field of the Invention
The present invention relates generally to computer systems, and more particularly but not exclusively to techniques for combating computer viruses.
2. Description of the Background Art
The threat posed by computer viruses to computer systems is well documented. A computer virus code can corrupt or delete important files, send e-mails without user authorization, render a computer inoperable, or cause other types of damage to a computer. From the old Disk Operating System (DOS) battlefield to the current Windows 32-bit (Win32) arena, the evolving virus technology has taken the battle between virus writers and antivirus experts to greater heights. Known and skilled virus coders continue to generate new types of viruses that can escape antivirus programs.
Polymorphic viruses are characterized by having the constant part of the virus body (except the data areas) encrypted using different encryption methods. Metamorphic viruses, on the other hand, do not have a decryptor, nor a constant virus body but are able to create new generations that look totally different. Virus code obfuscation on the host program with the use of complex techniques has been a common method of hiding viral codes. Random garbage code (code that does not change the behavior of the program) insertion and do-nothing-loops code generation are among the complex techniques that a clever virus coder uses to build virus codes.
Antivirus product developers are constantly keeping track of the latest virus technology advances. However, most commercial antivirus products are still inadequate in detecting all possible forms of infections given the elusive complexity of viruses. Most of these products rely on an old virus matching technology called “scan string.” In this approach, the string represents virus pattern on a specific location of the file. When applied to metamorphic viruses, this method will absolutely fail since metamorphic viruses do not contain any constant scan strings and are mutated throughout its infection generations.
Another conventional technique used to combat viruses is the so-called “byte searching,” which is just another form of scan string. In this approach, the antivirus program continuously parses consecutive locations of the file to search for certain byte sequences. The drawback of this approach is that it is too slow, considering that it searches the whole code portion of the file for specific byte sequences. In small files with small code portions, the technique may not yield significant results. But, on large files with large code portions, a noticeable scanning performance drop down will be apparent right away.
An existing method that is used to detect a combination of polymorphic and metamorphic viruses is the so-called “manual decryption.” In this technique, the polymorphic decryptor is reversed to come up with the virus-decrypted code. This method also suffers from scanning speed. Because the decryptor of a combination of polymorphic and metamorphic viruses typically does not reside on a fixed location, the antivirus program needs to search for it. Just like byte searching, this method entails too much scanning time overhead.
There are also non-commercial tools that attempt to use geometric detection methods based on modifications that a virus has made to a file structure. These tools check for virus signatures and modifications of section headers, and advantageously filter normal and viral files right away. However, these tools do not provide the exact identification of the virus since they do not derive their detection on the virus code itself. Since the detection is not exact, it is also prone to false positives.
Emulators have also been used to combat computer viruses. Emulators allow virus codes to execute in a controlled environment. The virus codes that are being monitored can then be examined periodically or only when special instructions are executed. The effectiveness of emulators to detect viruses depends on how these emulators are implemented. Aside from metamorphism, any virus could easily place trigger conditions at the start of its code before executing its infection routine. Emulators that follow only one path could easily miss other samples that were not able to execute the infection routine due to the infection condition. Another major drawback of this technique is its scanning speed. When applied to viruses that insert many do-nothing loops before the actual virus code, the detection speed definitely suffers.